Privacy notice for employment

As an employer, the Kettering General Hospital NHS Trust (KGH or Trust) must meet its contractual, statutory and administrative obligations. We are committed to ensuring that the personal data of our employees is handled in accordance with the principles set out in Data Protection Law.
 
KGH collects, holds and processes personal data and sensitive data about prospective, current and former employees including substantive employees, bank and agency workers, contracted staff, volunteers, trainees and those carrying out work experience. This privacy notice tells you what to expect when KGH collects personal information about you. The information we will process about you will vary depending on your specific role and personal circumstances.

KGH is the data controller for this information. Details of our Data Protection Officer can be found below:
Telephone: 01536 491526
 
This notice should be read in conjunction with other relevant Information Governance policies and procedures.

How we get your information

We get information about you from the following sources:
  • Directly from you
  • From an employment agency
  • From referees, either external or internal, providing confidential information about your suitability to the role
  • Inter Authority Transfer (IAT) – information held by your previous NHS employer
  • From the Disclosure and Barring Service where applicable, which will inform us about any criminal convictions you may have
  • From Occupational Health and other health providers
  • From Pension administrators when transferring within the NHS
  • From Her Majesty’s Revenue and Customs (HMRC) relating to your pay, tax and employment
  • From government departments about your right to work and visa applications
  • From your Trade Union
  • From providers of staff benefits
  • Confirmation of your registration with a professional body
  • CCTV images taken using our own CCTV systems

Personal data we hold about you

When you apply for a position within the Trust you will provide us with relevant information about you, including:
  • Name
  • Address and telephone contact details
  • Employment history
  • Qualifications
  • Referee details
 
During the recruitment and selection process we will add further information including:
  • Publicly available information such as social media presence
  • Selection information including correspondence, interview notes, and results of any selection tests etc.
 
For the purposes of carrying out employee verification checks prior to an employment offer, we will collect additional information from you including:
  • Copy of qualifications/ certificates
  • Pre-employment checks, including references, identity documents and ‘right to work’ information
  • Bank details
 
Following your appointment, we may add any other information you supply to us or is required as part of your employment including:
  • Training, appraisal and revalidation information
  • Occupational health information (medical information including physical or mental health conditions)
  • Details of any absences (other than holidays) including statutory parental leave and sick leave
  • Vaccination status (including Flu and COVID-19)
  • Information relating to health and safety
  • Employment tribunal applications
  • Complaints
  • Accidents
  • Incident details

Legal basis for processing your personal data

We will only use your personal data when the law allows us to. The Data Protection law sets out the legal bases for processing personal data. The most common legal bases we rely on for processing your personal data are:
  • Where we need to perform the employment contract we have entered into with you.
  • Where we need to comply with a legal obligation.
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
  • Where it is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.

How your information is secured

We ensure that appropriate measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.
 
We have in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. We will only transfer personal data to a third party if the third party agrees to comply with those procedures and policies, or if it puts in place adequate measures.
 
Maintaining data security means guaranteeing the confidentiality, integrity, and availability (for authorised purposes) of the personal data.

Your personal data is held in both electronic and paper formats. Information may be held centrally by the Human Resources (HR) department and locally with your line manager.
All paper files are kept in secure locked cabinets/cupboards and only relevant staff will have access to this information.
 
Electronic information is accessed on a need-to-know basis only using the Trust’s Electronic Staff Record (ESR) system. Some information may be held on the Trust’s secure drives or shared folders where access is only granted to appropriate individuals.

How your data is used

The Trust will use your information to administrate your employment and associated functions. Your personal data will be shared between relevant colleagues who legitimately need the information to carry out their duties e.g. your line manager and the Human Resources (HR) department.

The Trust uses staff data for all purposes associated with the administration of the employer/employee relationship and to meet our legal obligations.
 
The purposes for which we may use staff data (including sensitive personal information)

Purpose

Legal Basis

Recruitment and Selection

Legitimate interest – the legitimate interest being the employment of a suitable workforce/Performing a task in the public interest

Assessing qualifications for a particular job or task

Legitimate interest - the legitimate interest being employment of a suitable workforce/Performing a task in the public interest

Checking you are legally entitled to work in the UK

Legal obligation

Where eligible, checking your criminal record

Legal obligation

Uploading information onto Employment Staff Record

Legitimate interest – the legitimate interest being the employment of a suitable workforce/Performing a task in the public interest

Paying you, deducting tax, National Insurance contributions and trade union fees

Contract/Legal obligation

Pension Administration

Contract

Making decisions about salary reviews and compensation

Contract

Conducting performance reviews, managing performance and determining performance requirements

Legitimate interest - the legitimate interests being maintaining employment records and complying with legal and regulatory obligations; good employment practice and to ensure safe working practices in the provision of the healthcare service/Performing a task in the public interest

Managing sickness absence and assessing your right to occupational sick pay

Contract/ Legal obligation

Provision of Occupational Health services

Contract/ Legal obligation

Administering the contract we have entered into with you

Contract/ Legal obligation

Education, training and development requirements

Legitimate interest - the legitimate interest being the employment of a suitable workforce/Performing a task in the public interest

Business management and planning, including accounting and auditing

Legitimate interest - the legitimate interest being the employment of a suitable workforce/Performing a task in the public interest

Compliance with legal obligations such as making external/statutory returns to NHS England, sharing information with HMRC

Legal obligation

Managing a safe environment and ensuring fitness to work

Legal obligation

Equal opportunities monitoring

Legal obligation

Compliance with Health and Safety obligations

Legal obligation

Sharing and matching of personal information for national fraud initiative

Legal obligation

Dealing with legal disputes involving you, or other employees, workers and contractors, including accidents at work

Legal obligation

Gathering evidence for possible grievance or disciplinary hearings

Legitimate interest - the legitimate interests being maintaining employment records and complying with legal and regulatory obligations; good employment practice and to ensure safe working practices and the effective provision of health care services/Performing a task in the public interest

Making arrangements for the termination of our working relationship

Legitimate interest - the legitimate interests being maintaining employment records and complying with legal and regulatory obligations; good employment practice and to ensure safe working practices and the effective provision of health care services/Performing a task in the public interest

To monitor your use of information and communication systems to ensure compliance with IT policies

Legitimate interest – the legitimate interests being to monitor and manage staff access to our systems and facilities; to protect our networks, and the personal data of employees and service users, against unauthorised access or data leakage; to ensure our policies, such as those concerning security and internet use, are adhered to for operational reasons, such as maintaining employment records, maintaining service user records, training and quality control to ensure that sensitive information is kept confidential

Using your image

At the time of your recruitment, we take photographs which are then used for smartcards and ID Cards. This photograph may also be used in local/departmental areas and on the hospital intranet page to support with identification of employees. You may be asked to update this image on a regular basis to ensure that it is still usable for the purpose of employee identification.

If you agree to your photograph being taken or take part in a video or audio recording for any purpose other than for smartcards and ID cards (such as publishing, republishing, transmitting or broadcasting across a range of print, online, broadcast and social media channels to promote the principles and practices of the hospital), we will first seek your consent.

Sharing your information with third parties

The Trust may disclose personal and sensitive information to a variety of recipients including:
  • Our employees, agents and contractors where there is a legitimate reason for them receiving the information
  • Current, past or potential employers of our employees to provide or obtain references
  • Professional and regulatory bodies (e.g. Nursing and Midwifery Council (NMC), Health and Care Professions Council (HCPC), General Medical Council (GMC)) in relation to the confirmation of conduct including complaints, job description and information provided as part of the recruitment process
  • Government departments and agencies where we have a statutory obligation to provide information (e.g. HMRC, NHS Digital, Department of Health and the Home Office)
  • The Disclosure and Barring Service (DBS) and DBS Update Service where we require a DBS check for certain roles
  • Third parties who work with us to provide employee support services (e.g. counselling)
  • Third parties who provide systems to help us provide quality health care to our patients
  • Internal and external auditors
  • Debt collection and tracing agencies
  • Courts and tribunals
  • Trade union and staff associations
  • Survey organisations for example for the annual national NHS Staff Survey
  • Training providers
 
Any disclosures of personal data are always made on case-by-case basis, using the minimum personal data necessary for the specific purpose and circumstances and with the appropriate security controls in place. Information is only shared with those agencies and bodies who have a "need to know" or where you have consented to the disclosure of your personal data to such persons.
 
Where possible, we will always look to anonymise/pseudonymise your personal information so as to protect confidentiality, unless there is a legal basis that permits us to use it and we will only ever use/share the minimum information necessary.
 
However, there are occasions where the Trust is required by law to share information provided to us with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.
 
There are a number of circumstances where we must or can share information about you to comply with or manage:
  • disciplinary/investigation processes and serious incident management, including but not limited to referrals to professional bodies, e.g. the Nursing and Midwifery Council and the General Medical Council and to seek advice from relevant professions for expert opinions
  • legislative and/or statutory requirements
  • court orders which may have been imposed on us
  • NHS counter-fraud requirements
  • requests for information from the police and other law enforcement agencies for the prevention and detection of crime, and/or fraud if the crime is of a serious nature

People Pulse Survey

The University Hospitals of Northamptonshire NHS Group consisting of Kettering General Hospital and Northampton General Hospital have chosen to partner with Qualtrics to offer a ‘People Pulse Survey’ to Trust employees.

The aim of the survey is to obtain views and feedback from employees on a number of topics, and to gather ideas, thoughts and feelings about our individual workspace or the broader workplace and to understand what it is that the Group is doing well and what we can be doing even better. The People Pulse Survey will run frequently throughout each year.

Results will be presented at Group briefings and/or KGH briefings to share with you, what you and other colleagues have shared.

Results will be non-attributable and small number suppression will be used to prevent individuals being identified from aggregated responses.

In order to provide access to the survey and to allow the results to be grouped by department, KGH will share personal information with Qualtrics, this includes:
  • Name
  • Work Email Address
  • Job Role
 
Whilst this information is not being shared at present, KGH will also be looking to transfer the following information:
  • Age
  • Gender
  • Sexual Orientation
  • Disability
  • Ethnicity
 
Our legal basis for sharing this information is Article 9 (2) (b) of the UK GDPR. Sharing this special category data allows the Group to identify staff groups that may feel disadvantaged or marginalised, and to take action to address this. This is in line with our obligations to the Public Sector Equality Duty (Part 1 of Equality Act 2010).

Electronic Staff Record and Inter Authority Transfer (IAT)

On commencement of employment with the Trust, your personal data will be uploaded to the Electronic Staff Record (ESR). ESR is a workforce solution for the NHS which is used to effectively manage the workforce leading to improved efficiency and improved patient safety.

Factual references

In accepting employment, you accept that the following personal data will be transferred under a reference request programme if your employment transfers to another organisation:
  • Name
  • Date of Birth
  • Dates of employment
  • Most recent role title held on ESR
  • Days and episodes of sickness in the last two years
  • Any formal warnings or formal investigations pending including safeguarding concerns
  • Date, Level and outcome of DBS check undertaken

Monitoring of System Access

In accordance with the Trust’s Acceptable Use Policy (IG02) the Trust monitors the use of its IT systems and equipment and reserves the right to notify HR and the line manager of an employee where a violation of the policy is identified. All employees consent to the monitoring and recording of electronic communications and IT systems for safety and security, namely for the purpose of ensuring that rules are being complied with and that usage is for legitimate business purposes. All employees shall comply with any electronic communications systems policies that the Trust may issue from time to time.
 
The Data Security and Protection Team will monitor access to all clinical systems. Any access without a justifiable and professional need will be investigated to ensure the access was appropriate. Unauthorised access to any clinical system will be classed as a breach of the Acceptable Use Policy and may result in disciplinary action.
 
All information created on Trust devices is the property of the Trust and therefore may be subject to audit and review. Records created on Trust systems, such as emails, may be required and disclosed in relation to a Subject Access Request or to support an investigation. In these situations, where doing so would not prejudice the investigation, the Trust will make every effort to inform employees of the requirement to access this information prior to access.

Transfer of personal data outside of UK

Your personal data may be transferred outside of the UK, for example, if the Trust uses a cloud information technology service which has servers in the EU or outside of the European Economic Area (EEA). A Data Protection Impact Assessment will have been completed to ensure that data is held securely and within the requirements of the law.
 
If your data is transferred overseas there will be a contract in place, and a Data Processing Agreement that ensures responsibility for safeguarding data.

Keeping your information up to date

It is important that the personal data that the Trust holds about you is accurate and kept up to date. It is your responsibility to ensure that the information held in the Electronic Staff Record (ESR) is correct and you should notify your line manager promptly of any changes to your details.

How long do we keep your information?

We will only retain your personal data for as long as necessary to fulfil the purposes for which we collected it, including the purposes of satisfying any legal, accounting, or reporting requirements. Retention periods for personal data will vary according to the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. We ordinarily follow the retention periods set out in the NHS Records Management Code of Practice.
 
You should be aware that employee documentation is ordinarily retained for six years after termination of employment, which is the statutory limitation period for breach of contract claims, and then promptly deleted once that period has passed. A summary of your records will be kept until your 75th birthday or six years after leaving whichever is the longer and then reviewed. For unsuccessful job candidates, documentation is retained for six months after candidate is rejected for a role and then deleted.
 
However, it should be noted that there is some legislation which requires certain health monitoring data to be retained for up to 40 years and for clinical staff where there is a negligence claim in relation to a child, the normal three year personal injury limitation period is extended until that child reaches 21 years of age. We have put a system in place so that the data of staff who may be at risk of certain diseases or where they were involved in an incident that could give rise to a clinical negligence claim which requires a longer retention period than six years, are marked appropriately as needing to be retained for a longer period.
 
If we are able to anonymise your personal data so that you can no longer be identified from it, we may use such information without further notice to you.
 
The Trust has a IG07 Records Management Policy. This is based on the NHS Records Management Code of Practice

Your Rights

For information on your rights, please see the Your rights.

Students

The Trust works with partner academic organisations to support and mentor students and apprentices during their placements. Student and apprentice information is processed in accordance with the individual learning agreements in place with the academic institution.
 
This data is required to facilitate support and mentoring of individuals and to ensure compliance with the terms and conditions outlined via contract or learning agreement.
 
The lawful basis relied on to process student personal data for the purposes of employment is:
  • when it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Art 6(1)e)
  • when processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law (Art 9(2)b)

Equality and Diversity Data

As a Trust we have a duty to eliminate unlawful discrimination, harassment, or victimisation, to advance equality of opportunity and to foster good relations. All public bodies must treat people from different groups fairly and equally. Data on equality and diversity is captured in accordance with the Equality Act 2010.
 
Special Category Personal Data provided to the Trust for the purpose of healthcare delivery, management, and treatment:
 
9(2)(b) necessary for the carrying out of obligations under employment, social security or social protection law, or a collective agreement;
 
Below are the lawful bases relied on by the Trust to process Equality and Diversity Data:
 
Special Category Personal Data provided to the Trust for the purpose of compliance with Equality legislation:
 
9(2)(b) necessary for the carrying out of obligations under employment, social security or social protection law, or a collective agreement.